Updates

Further to my last few write ups on Information Security, this one is more focused on all the actions around data safety.

Just when we were getting comfortable with the prior version of PCI, with a high sense of urgency earlier this year, PCI 3.1 is launched outside the typical three-year lifecycle for PCI DSS. I am sure there were compelling reasons to come up with such quick upgrade. Reasons such as Heartbleed and Poodle. I have had the fortune (or misfortunate) of witnessing customer anxiety when Heartbleed and Poodle struck. This upgrade to PCI 3.1 will retire SSL (Secure Socket Layer) and mandate updating to TSL (Transport Layer Security). The TLS protocol uses stronger encryption algorithms and has the ability to work on different ports. Established in 1996, TLS is the successor to SSL, ensuring there is no snooping between a server and client.

Additionally, there has been renewed push from FTC on Organizations with Information Asset to implement controls around data security. Sure enough all right parties are putting the right amount of pressure on this critical asset.  NIST  (National Institute of Standard and Technology) created with the goal to R&D, standardize and push innovation forward across a various fields for the betterment of everyone, absolutely free. NIST in existence since 1821 has prepared a guidance on risk assessment. Reviewing and implementing is all that needs to be done to get a reasonable Information Security framework.

Most of the standards quote and the Industry best practise is to continuously

• Understand Risk
• Create Risk Register (to include legal, contractual and regulatory risk)
• Rate Risk
• Treat Risk

Four steps to better understand and manage risk